File name:	f7e1327208f06e5cdd6bbf11568a3afaf6c8902f1b7f24c3dd304737f1759070
Full analysis:	https://app.any.run/tasks/7221a559-4f02-47b5-bd25-eacf0638e313
Verdict:	Malicious activity
Threats:	Gh0st RAT is a malware with advanced trojan functionality that enables attackers to establish full control over the victim’s system. The spying capabilities of Gh0st RAT made it a go-to tool for numerous criminal groups in high-profile attacks against government and corporate organizations. The most common vector of attack involving this malware begins with spam and phishing emails. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Malware Trends Tracker >>>
Analysis date:	January 11, 2025, 01:29:58
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	sainbox rat gh0st vmprotect rdp upx
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 7 sections
MD5:	588A3D3EC2A1E9967EA4C8A0BD492558
SHA1:	EBC484B0BE32A74A13D5FC00D2D604FB6495A58C
SHA256:	F7E1327208F06E5CDD6BBF11568A3AFAF6C8902F1B7F24C3DD304737F1759070
SSDEEP:	49152:ZaKoXA2V5VqZMBys8KZB6j/uDGspoHc+bi3vt2NCjE2NWgwvnfKKoTCZ+gKyEYV0:ZaKr2VHqZMR8KZB6j/vHc+bilgWEqWgV

.exe	\|	Win64 Executable (generic) (64.6)
.dll	\|	Win32 Dynamic Link Library (generic) (15.4)
.exe	\|	Win32 Executable (generic) (10.5)
.exe	\|	Generic Win/DOS Executable (4.6)
.exe	\|	DOS Executable Generic (4.6)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2021:03:29 14:48:39+00:00
ImageFileCharacteristics:	Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	6
CodeSize:	3530752
InitializedDataSize:	835584
UninitializedDataSize:	-
EntryPoint:	0x2dfb0a
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.0
ProductVersionNumber:	1.0.0.0
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Chinese (Simplified)
CharacterSet:	Unicode
FileVersion:	1.0.0.0
FileDescription:	Windows 配置程序
ProductName:	Windows 核心进程
ProductVersion:	1.0.0.0
LegalCopyright:	作者版权所有请尊重并使用正版
Comments:	本程序使用易语言编写(http://www.eyuyan.com)


(PID) Process:	(396) AK47.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é
Operation:	write	Name:	Description
Value: ¹ÜÀí»ùÓÚ×é¼þ¶ÔÏóÄ£ÐÍµÄºËÐÄ·þÎñ¡£Èç¹û·þÎñ±»½ûÓÃ£¬¼ÆËã»ú½«ÎÞ·¨Õý³£ÔËÐÐ¡£
(PID) Process:	(396) AK47.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters
Operation:	write	Name:	ServiceDll
Value: C:\WINDOWS\system32\1272171.txt
(PID) Process:	(396) AK47.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Svchost
Operation:	write	Name:	Ö÷¶¯·ÀÓù·þÎñÄ£¿é
Value: Ö÷¶¯·ÀÓù·þÎñÄ£¿é
(PID) Process:	(4512) AK74.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\Select
Operation:	write	Name:	MarkTime
Value: 2025-01-11 01:30
(PID) Process:	(5640) Ghiya.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\QAssist
Operation:	write	Name:	Type
Value: 2
(PID) Process:	(5640) Ghiya.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\QAssist
Operation:	write	Name:	Start
Value: 1
(PID) Process:	(5640) Ghiya.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\QAssist
Operation:	write	Name:	ErrorControl
Value: 0
(PID) Process:	(5640) Ghiya.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\QAssist
Operation:	write	Name:	ImagePath
Value: system32\DRIVERS\QAssist.sys
(PID) Process:	(5640) Ghiya.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\QAssist
Operation:	write	Name:	DisplayName
Value: QAssist
(PID) Process:	(5640) Ghiya.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\QAssist
Operation:	write	Name:	Group
Value: FSFilter Activity Monitor

PID	Process	Filename		Type
396	AK47.exe	C:\Windows\SysWOW64\1272171.txt		executable
		MD5:8EAAE0C0A7945BB10D1EFB12D74C2324	SHA256:942A7DE2DD0EAE7DC7DFB77A90C433518754B11A17BF08DB1855DD1ACC37ACD1
3988	f7e1327208f06e5cdd6bbf11568a3afaf6c8902f1b7f24c3dd304737f1759070.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win.lnk		binary
		MD5:D513248FB3F8CB7007AB16B6EA19571E	SHA256:FAD56F60D81B4FA49870BF50EFAA2C380BFC3F6A3A5B7ADD4EF0FC43A905AFDA
3988	f7e1327208f06e5cdd6bbf11568a3afaf6c8902f1b7f24c3dd304737f1759070.exe	C:\Users\admin\AppData\Roaming\svchcst.exe		executable
		MD5:588A3D3EC2A1E9967EA4C8A0BD492558	SHA256:F7E1327208F06E5CDD6BBF11568A3AFAF6C8902F1B7F24C3DD304737F1759070
3988	f7e1327208f06e5cdd6bbf11568a3afaf6c8902f1b7f24c3dd304737f1759070.exe	C:\Users\admin\AppData\Roaming\Microsoft\svchcst.exe		executable
		MD5:CCDEADDC873F03D600269ADC551CF23A	SHA256:9806B54CAA07D7B114C24066265D22DD880BBAEBEE22EA20DD11727DB9D57423
3988	f7e1327208f06e5cdd6bbf11568a3afaf6c8902f1b7f24c3dd304737f1759070.exe	C:\Users\admin\AppData\Roaming\Microsoft\VBS3.vbs		text
		MD5:17FE7BF9D8BBAD6AD6F80B1423CDD674	SHA256:DF0CDC607EFF62AFDF6ABE55DA5A2BB5DB531FD7B3C730793AE892F7921773C0
396	AK47.exe	C:\Windows\SysWOW64\ini.ini		text
		MD5:01C3085DD42DE4AECF03F81708411872	SHA256:8A2548B891036C71F80A3F765914092EE42340421E2B04374FC9F1247FE1F4C2
3988	f7e1327208f06e5cdd6bbf11568a3afaf6c8902f1b7f24c3dd304737f1759070.exe	C:\Users\admin\AppData\Roaming\Microsoft\Config.ini		text
		MD5:29CE53E2A4A446614CCC8D64D346BDE4	SHA256:56225BE6838BC6E93EA215891EACF28844AE27A9F8B2B29BF19D3A8C2B1F58DF
4512	AK74.exe	C:\Windows\SysWOW64\Ghiya.exe		executable
		MD5:B0998AA7D5071D33DAA5B60B9C3C9735	SHA256:3080B6BB456564899B0D99D4131BD6A0B284D31F7D80EF773E4872D94048D49A
3988	f7e1327208f06e5cdd6bbf11568a3afaf6c8902f1b7f24c3dd304737f1759070.exe	C:\Users\admin\AppData\Local\Temp\AK74.exe		executable
		MD5:B0998AA7D5071D33DAA5B60B9C3C9735	SHA256:3080B6BB456564899B0D99D4131BD6A0B284D31F7D80EF773E4872D94048D49A
3988	f7e1327208f06e5cdd6bbf11568a3afaf6c8902f1b7f24c3dd304737f1759070.exe	C:\Users\admin\AppData\Local\Temp\AK47.exe		executable
		MD5:423EB994ED553294F8A6813619B8DA87	SHA256:050B4F2D5AE8EAECD414318DC8E222A56F169626DA6CA8FEB7EDD78E8B1F0218

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2092	RUXIMICS.exe	GET	200	23.216.77.6:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
2092	RUXIMICS.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4308	svchost.exe	GET	200	23.216.77.6:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4308	svchost.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	23.216.77.6:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
4712	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4308	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2092	RUXIMICS.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	104.126.37.139:443	www.bing.com	Akamai International B.V.	DE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
4712	MoUsoCoreWorker.exe	23.216.77.6:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4308	svchost.exe	23.216.77.6:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
2092	RUXIMICS.exe	23.216.77.6:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4712	MoUsoCoreWorker.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2 40.127.240.158 51.124.78.146	whitelisted
www.bing.com	104.126.37.139 104.126.37.131	whitelisted
google.com	142.250.186.110	whitelisted
cf1549064127.f3322.net	—	whitelisted
crl.microsoft.com	23.216.77.6 23.216.77.28	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
self.events.data.microsoft.com	20.189.173.10	whitelisted

General Info

f7e1327208f06e5cdd6bbf11568a3afaf6c8902f1b7f24c3dd304737f1759070

588A3D3EC2A1E9967EA4C8A0BD492558

EBC484B0BE32A74A13D5FC00D2D604FB6495A58C

F7E1327208F06E5CDD6BBF11568A3AFAF6C8902F1B7F24C3DD304737F1759070

49152:ZaKoXA2V5VqZMBys8KZB6j/uDGspoHc+bi3vt2NCjE2NWgwvnfKKoTCZ+gKyEYV0:ZaKr2VHqZMR8KZB6j/vHc+bilgWEqWgV

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Executing a file with an untrusted certificate

Creates or modifies Windows services

GH0ST mutex has been found

Starts CMD.EXE for self-deleting

Create files in the Startup directory

Changes the autorun value in the registry

SAINBOX has been detected

Uses sleep, probably for evasion detection (SCRIPT)

SUSPICIOUS

Reads security settings of Internet Explorer

Executable content was dropped or overwritten

Mutex name with non-standard characters

Executes as Windows Service

Starts CMD.EXE for commands execution

Hides command output

Drops a system driver (possible attempt to evade defenses)

Application launched itself

Creates files in the driver directory

Creates or modifies Windows services

Runs PING.EXE to delay simulation

Executes WMI query (SCRIPT)

The process executes VB scripts

Accesses WMI object, sets custom ImpersonationLevel (SCRIPT)

There is functionality for taking screenshot (YARA)

There is functionality for enable RDP (YARA)

Connects to unusual port

INFO

The sample compiled with chinese language support

Reads the computer name

Checks supported languages

Process checks computer location settings

Create files in a temporary directory

The process uses the downloaded file

Creates files or folders in the user directory

VMProtect protector has been detected

UPX packer has been detected

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events